Years of Citing Articles

Bookmark

OpenURL

Abstract

This paper describes a suite of intrusion detection tools developed by the Reliable Software Group at UCSB. The tool suite is based on the State Transition Analysis Technique (STAT), in which computer penetrations are specified as sequences of actions that cause transitions in the security state of a system. This general approach has been extended and tailored to perform intrusion detection in different domains and environments. The most recent STATbased intrusion detection systems were developed following a framework-based approach, and the resulting design uses a "core" module that embodies the domain-independent characteristics of the STAT approach. This generic core is extended in a well-defined way to implement intrusion detection systems for different domains and environments. The approach supports reuse, portability, and extendibility, and it allows for the optimization of critical functionalities. 1. Introduction The evolution of computer networks fostered a deep change in t...

Citations

...dvantage is paid for in terms of the large number of false positives and the difficulty of training a system with respect to a very dynamic environment. The State Transition Analysis Technique (STAT) =-=[7]-=- was conceived as a misuse detection method to describe computer penetrations as sequences of actions that an attacker performs to compromise the security of a computer system. The STAT approach mitig...

...gainst dynamic download and installation of code coming from untrusted sources. In world-wide networked settings the mainstream security solution is represented by firewalls and domain-level security =-=[1, 2]-=-. With this approach networks are divided into smaller subnetworks that are under the control of a single authority. These security domains use internal mechanisms and policies to authenticate and aut...

..., on the applications, or on the network. Behavior profiles may be built by performing statistical analysis on historical data [8] or by using rulebased approaches to specify behavior patterns (e.g., =-=[10]-=-). Anomaly detection compares actual usage patterns against the established profiles to identify abnormal patterns of activity. Misuse detection systems take a complementary ap1 proach. The detection ...

... &quot;normal&quot; behavior of a computer system. The model may focus on the users, on the applications, or on the network. Behavior profiles may be built by performing statistical analysis on histor=-=ical data [8]-=- or by using rulebased approaches to specify behavior patterns (e.g., [10]). Anomaly detection compares actual usage patterns against the established profiles to identify abnormal patterns of activity...

...nature action would include the TCP segments used to test the TCP ports of a host. The state transition analysis technique has been applied to host-based intrusion detection, and a tool, called USTAT =-=[5, 6, 13]-=-, has been developed. USTAT uses state transition representations as the basis for rules to interpret changes in a computer system's state and to detect intrusions in real-time. The changes in the com...

...ogy and the network services deployed. The Analyzer uses the annotations in STATL scenarios to determine where the probes must be placed in the protected network and how the probes must be configured =-=[16]-=-. 5. Conclusions and future work The core-based framework for the development of STATbased intrusion detection systems provides a number of advantages. The framework supports efficient development of ...

...urces are the auditing facilities available on the monitored hosts. The natural evolution of state transition analysis was its direct application to networks. NetSTAT was the result of this evolution =-=[15]-=-. NetSTAT is a tool aimed at real-time network-based intrusion detection. NetSTAT takes advantage of the peculiar characteristics of intrusion detection based on the analysis of network traffic. Netwo...

...AT and USTAT systems were evaluated as part of both the MIT Lincoln Laboratory 's off-line intrusion detection system evaluation [12] and the Air Force Research Laboratory (AFRL) real time evaluation =-=[3, 4]-=-. In the first case, USTAT and NetSTAT were used to analyze BSM logs and network traffic dumps of several weeks of traffic looking for attack signatures. In the second case, NetSTAT and USTAT were ins...

...nature action would include the TCP segments used to test the TCP ports of a host. The state transition analysis technique has been applied to host-based intrusion detection, and a tool, called USTAT =-=[5, 6, 13]-=-, has been developed. USTAT uses state transition representations as the basis for rules to interpret changes in a computer system's state and to detect intrusions in real-time. The changes in the com...

... audit trail produced within a single operating system. The USTAT design has been extended to detect attacks that involve multiple hosts sharing network file systems. The resulting tool, called NSTAT =-=[9]-=-, uses a client-server architecture to collect audit records from different sources (hosts), merge them into a single audit trail, manage synchronization and correlation among the different trails, an...

...gainst dynamic download and installation of code coming from untrusted sources. In world-wide networked settings the mainstream security solution is represented by firewalls and domain-level security =-=[1, 2]-=-. With this approach networks are divided into smaller subnetworks that are under the control of a single authority. These security domains use internal mechanisms and policies to authenticate and aut...

...er system's state are monitored by leveraging off of the auditing facilities provided by security-enhanced operating systems, such as Sun Microsystems' Solaris equipped with the Basic Security Module =-=[14]-=-. The first implementation of the USTAT tool clearly demonstrated the value of the STAT approach, but USTAT was developed in an ad hoc way and several characteristics of the first USTAT prototype were...

...AT and USTAT systems were evaluated as part of both the MIT Lincoln Laboratory 's off-line intrusion detection system evaluation [12] and the Air Force Research Laboratory (AFRL) real time evaluation =-=[3, 4]-=-. In the first case, USTAT and NetSTAT were used to analyze BSM logs and network traffic dumps of several weeks of traffic looking for attack signatures. In the second case, NetSTAT and USTAT were ins...

...ol that would fit the new domain. In the second half of 1998, the NetSTAT and USTAT systems were evaluated as part of both the MIT Lincoln Laboratory 's off-line intrusion detection system evaluation =-=[12]-=- and the Air Force Research Laboratory (AFRL) real time evaluation [3, 4]. In the first case, USTAT and NetSTAT were used to analyze BSM logs and network traffic dumps of several weeks of traffic look...

... are divided into smaller subnetworks that are under the control of a single authority. These security domains use internal mechanisms and policies to authenticate and authorize users (e.g., Kerberos =-=[11]-=-). Domains are protected against access from outer domains by means of firewalls, which are network filters that regulate the access to an internal network from the outside. Even though domain-level s...